USA Today has an interesting story on efforts by several state Attorneys General to get MySpace to turn over the names and addresses of registered sex offenders who have profiles on the site. The state AGs wrote a letter asking MySpace to turn over the information. MySpace refused, citing the privacy protections of the Electronic Communications Privacy Act. The state AGs responded by "blasting" Myspace for its refusal to help:

Connecticut Attorney General Richard Blumenthal on Tuesday blasted MySpace for refusing to share the information and said no subpoena is needed for MySpace to tell the attorneys general how many registered sex offenders use the site "or other information relating to possible parole violations." "I am deeply disappointed and troubled by this unreasonable and unfounded rejection of our request for critical information about convicted sex offenders whose profiles are on MySpace," Blumenthal said. "By refusing this information, MySpace is precluding effective enforcement of parole and probation restrictions that safeguard society." North Carolina Attorney General Roy Cooper echoed the sentiment, saying "it's sad that MySpace is going to protect the privacy of sex offenders over the safety of children."

MySpace is clearly right that federal privacy law prohibits them from complying with the AG's letter, at least in its entirety. MySpace provides both electronic communications services and remote computing services under the Stored Communications Act portion of ECPA, so they can't disclose basic subscriber information to the government without a subpoena or court order unless one of several exceptions in 18 U.S.C. 2702 applies (which none does).

It's a trickier question with meta-data like the total number of registered sex offenders. The statute prohibits the disclosure of "information pertaining to a subscriber or customer." 18 U.S.C. 2702(c)(1). Does the fact that X sex offenders are MySpace subscribers constitute information "pertaining" to its subscribers? I think it does — it does relate to them, even if it is not personally identifying. So although it's a closer case, I would think that MySpace probably can't turn over that information either.

Why did the state AG's even bother writing this letter, given that federal privacy law blocks the disclosure in these circumstances (clearly for some information, less clearly for other information)? I can think of a few possible explanations. One possibility is that this California's state privacy law may require a warrant for this information rather than a subpoena. See Cal. Penal Code 1524.2, 1524.3. In a federal investigation, the California law would be ignored under the Supremacy Clause, and the govermment would be able to obtain the information with a subpoena. In contrast, state investigations have to comply with California state law. If that law requires a warrant, obviously the AG's can't get one — they don't have any PC.

So perhaps the AG's knew that they couldn't compel the information from MySpace legally, and instead they wrote a letter hoping that MySpace might conclude that disclosure would fit in a voluntary disclsoure exception to 2702. (To be clear, I'm not at all sure about this theory, as California's statutory scheme is rather puzzling. But it seems like a possibility worth floating. Note that even barring state law regulation, out-of-state court orders are not binding on MySpace in California.) That's the less cynical explanation, anyway.

Do myspace users count as subscribers? The service is free, I'm not sure I would consider them customers.

Also, there is an exception: "to a governmental entity, if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information"

If convicted sex offenders have profiles on myspace they are using to find children, surely that could be considered such an emergency? While perhaps not clear cut, it surely offers myspace an excuse to divulge the information, which they should want to do anyway.

Just as the AG shouldn't be allowed to wiretap a sex offender's phone without a warrant for life, he should be required to issue a subpoena for the information.

From the MySpace Law Enforcement Policy:

Subpoenaing Private Information

To request private (non-public) information from MySpace about a specific profile or user, we require a subpoena, search warrant or other legal process.

The following list is private content that is not publicly accessible. Some of the content is provided by the users themselves upon registration when updating profiles. Other items are collected by the site automatically or involve communications on MySpace.

IP logs (recorded at time of login)
Date profile created
Dates and times of login (PST)
E-mail address provided by user
Zip code provided by user
Name provided by user
Private MessagesPrivate blogs

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated." U.S. Constit. Am. 4.

I hope Myspace stands by their conviction and doesn't give into the bullying of the AG. I truly believe that MySpace is NOT protecting sex offenders over children. They have deleted the sites have they not? And for what reason does the AG think that they may of done this?

I am not a lawyer, but I am a network administrator. I have more knowledge of computer systems than the average person.

How is MySpace supposed to have a clue who on their sight is a registered sex offender and who isn't?

When you register, you give your name, zip code, email address, birth date. That's it. No address, no phone number. No process to verify that you gave them a real name even. See all the fake celebrity MySpace Profiles.
They could add a check box to ask people if they are registered sex offenders. Everyone would pick "NO", so it is a worthless excercise.

MySpace doesn't even have enough information to provide a MetaData answer on the number of registered sex offenders. They don't ask the question and it isn't something people volunteeer when they register.

The best the AG's could hope for is to give MySpace a list of names, zip codes and known email addresses. If a name matches, then the AG can do further investigation.

Although, I don't know why the AG's need MySpace's cooperation to do that. They have employees, they have Myspace's search tools, they have the list of names. They can run their own searches.

If convicted sex offenders have profiles on myspace they are using to find children, surely that could be considered such an emergency? While perhaps not clear cut, it surely offers myspace an excuse to divulge the information, which they should want to do anyway.

If convicted sex offenders want to "find children," I suspect they would use more complicated technology like "windows." (And not the Microsoft kind.) As in, looking out theirs, and seeing the children outside. This is simply politician hysteria, by people who really don't understand the internet anyway.

There is zero reason to believe that a sex offender (*) having a myspace page would present "an emergency involving immediate danger of death or serious physical injury to any person," any more than a sex offender having a car would present such an emergency.

If convicted sex offenders have profiles on myspace they are using to find children, surely that could be considered such an emergency? While perhaps not clear cut, it surely offers myspace an excuse to divulge the information, which they should want to do anyway.

1. How do you propose to differentiate between sex offender profiles that are being used to find children and ones that are not? Please be specific, even if your answer is to divulge the information first and figure it out later.

2. You easily gloss over "perhaps not clear cut," yet this is supposed to provide some kind of justification for extracting information from myspace which they are not legally required to provide? Why should myspace "want to" give this information up?

There's a lot of hysteria to be had here, and "won't somebody think about the children?!" is historically a rationale of last resort. If this information is necessary to the investigations and operations of the concerned AG's, then they can work on getting some laws passed that address those concerns. Should it be any other way?

It is amazing the AG's in the individual states wish to keep RFSO's off social sites like myspace.com. Myspace has stated they have over 175,000,000 subscribers and the NC AG said that 100 children was allegedly contacted by predators. They failed to say if these predators were registered sex offenders or general public. Consider the fact that 100 out of 175,000,000 is such a minuet number, a child would have more of a chance being hit by lightning than contacted by a "predator" (remember, the AG's do not tell the public if the cont-actor is a RFSO or normal people) This fervent feeding to the public to create additional fear is unjustified and against the !st Amendment of the United States Constitution.

It is time the continual destruction of people in this country stop, for who will be next should these governmental hatemongers succeed?

It seems pretty clear to me that they're after more than just a list of names. For instance, the letter remarks that "[w]e remain concerned about the design of your site, the failure to require parental permission, and the lack of safeguards necessary to protect our children." If I were MySpace, I'd be concerned about endless demands to "do more" to "protect the children." For instance, how would parental permission be obtained? How do you know the permission you've received, in whatever form, actually comes from the child's parent?

As a thought experiment, I wonder what would happen if the roles were reversed: MySpace sends a list of hundreds of names to a state AG, and says that MySpace suspects that they may be sex offenders. "In order to protect our children," says MySpace, "please investigate and take all necessary steps to make sure these predators don't harm innocent young people." Would the AG thank MySpace for the tip, and jump right on it?

For instance, how would parental permission be obtained? How do you know the permission you've received, in whatever form, actually comes from the child's parent?

How do businesses that cater to adult customers keep children out? They put someone there to do some sort of verification of patrons who wish to enter. For a bar with one hundred and fifty people in it, they might staff seven or eight security, it's just the cost of doing business. MySpace and Google frequently claim it would be impossible to verify registrants and uploaders to YouTube, but really mean that it would be expensive. Probably expensive enough to make their business model unworkable. But it certainly isn't impossible for them to do.

The problem, Guest, is that unlike the bar, MySpace and its' customers never get within eyeball range of each other. Sure, you can require things like credit card numbers which theoretically you have to be an adult to get. Having seen many stories about people getting credit cards for their dogs, the emphasis is on theoretically.

Orin, you are a lawyer, so I assume that's why you focus narrowly on the legal aspect of this issue and, after all, the VC is a legal blog.

Why did the state AG's even bother writing this letter ...

Well, judging by their language, for the same reason most of the sex laws have been passed: To look good to the public that elects them. Nothing better than beating up on "predators". "won't somebody think about the children?!" is historically not a rationale of last resort, but of first resort.

I'd like to hear opinions by people more in the loop, but am I right that the war on drugs broke legal ground in getting laws passed and upheld that ever expanded the State's power and diminished citizens liberties, followed by the sex offender hysteria to accelerate this trend with DUI a close second? Not to forget the war on terror. Even though the Patriot Act was passed to fight terrorists and was not to be used in ordinary law enforcement, I recall then AG Ashcroft grandstanding in front of the Media how it was used to nab some people in possesion of CP. Not a peep from anyone.
Nobody wants to be supected of not wanting to protect "our children".

I fully understand that difference. I just don't see that it matters. The fact that it's expensive or difficult isn't relevant. Industrial plants and factories would be tremendously more profitable if they could dump their waste anywhere handy or pump fumes into the atmosphere. But we require them to do what is expensive and difficult in order to control the negative impact they might have on others.

MySpace could require that every user provide an SSL certificate from an issuer that has done an extensive in-person validation* that you are who you say you are. It might be expensive, but it's not impossible. Saying it's impossible is just avoiding the conversation of whether the world needs MySpace more than it doesn't need it's negative effects. And to be honest, MySpace is much less of an offender than YouTube.

* Something like the background check you get when applying for a security clearance with the Feds. Where you have to fill out all your relatives, their addresses and birth dates. You have to list every address you've lived at in the last ten, or more, years and the name and address of someone who knew you there.

Why would the AG's do this? They're politicians; cheap publicity seems as good an answer as any.

Mr. Nieporent, above, made a valid point that I will reiterate: There's an awful lot of conflation being done by the AGs, since only a small percentage (a vile one, certainly, but small) of "sex offenders" are pedophiles.

I'm probably more sensitive to this than most. Except for the persuasive words of the local JP, I could well be in that class, since the girl was under the age of 16. Of course, I was a year younger than her, but the law at the time made no allowances.

Sure, you can require things like credit card numbers which theoretically you have to be an adult to get. Having seen many stories about people getting credit cards for their dogs, the emphasis is on theoretically.

Due to the frequency with which I flew when I was young, I got my first credit card offer from an airline at age 4.

More significantly, many parents make sure that their children get credit cards if they're regular drivers. That ensures an easy way to pay for gas, and as long as the kids only pay for gas it will save them money due to rewards points. Now, most states don't allow licensing until at least 16, but I suspect many children have credit cards at that point.

Basically it is the job of the parent to be aware of what their children are doing online. It would be much easier (and cheaper) for a parent to simply install a keylogger or some other spyware on their children's computers.

As for the toxic waste example, the parental figure of those companies is the government. Telling them where/how they can get rid of waste is the same as saying "don't put your laundry on the floor."

Requiring every child to undergo extensive background checks would be a horrible idea. You've just created a massive online database of information on a large number of children. Just imagine what would happen if that info were to fall into a pedophile's hands.

Basically it is the job of the parent to be aware of what their children are doing online. It would be much easier (and cheaper) for a parent to simply install a keylogger or some other spyware on their children's computers.

So you'll make the same argument wrt. bars, strip clubs, churches, tattoo parlors, tanning salons, and the like? If not then why put a burden on brick and mortar stores, and shift the burden away from the business for Internet businesses?

As for the toxic waste example, the parental figure of those companies is the government. Telling them where/how they can get rid of waste is the same as saying "don't put your laundry on the floor."

I don't think that is a valid way of looking at it. The concern here isn't if children are leaking their personal information or whether parents know what their children are doing online, but whether MySpace knows who their account creators are. The question asked is how many of the subscribers are sex offenders, not how many are minors.

However, I agree, parents should have some idea of what their kids are doing.

Requiring every child to undergo extensive background checks would be a horrible idea. You've just created a massive online database of information on a large number of children. Just imagine what would happen if that info were to fall into a pedophile's hands.

Why exactly would the results of background checks have to be stored on a system connected to the internet? Or even on a computer. Regardless, such information already exists and it's likely online in many communities.

So you'll make the same argument wrt. bars, strip clubs, churches, tattoo parlors, tanning salons, and the like?

Yes. When have I ever expressed an opinion otherwise? The only possible exception I can think of is that it is illegal to sell alcohol to people who are under 21. I don't have a problem with requiring bars to make a good faith effort of complying with the law (e.g. check ID first)...although I do have problem with the punishment system. The minor with a fake id gets sent home unpunished and the bar is slapped with a multi-thousand fine and/or has its license revoked. I think it should be the other way around. These laws seem to be designed to punish the bar for having the audacity to serve alcohol rather than actually prevent minors from drinking alcohol. Although this exception does not pertain to myspace because it is not illegal for minors above a certain age to use the site and myspace already blocks profiles from users under that age.

I don't think that is a valid way of looking at it. The concern here isn't if children are leaking their personal information or whether parents know what their children are doing online, but whether MySpace knows who their account creators are. The question asked is how many of the subscribers are sex offenders, not how many are minors.

If that is what you meant by your analogy, then your analogy is flawed also. It is the actions of the sexual predators that have a negative impact on society, not the actions of myspace. Your analogy has the burden placed on the creator of the toxic waste, but what you are asking here is to have the burden placed on the owner of the river that the waste was dumped in. There is no analogous law (that I'm aware of) that requires everyone who owns a piece of land to a) prevent people from dumping toxic waste on their land or b) give the government detailed information on everyone who has ever accessed the land in the hopes that someone who dumps toxic waste will be caught.

"Why exactly would the results of background checks have to be stored on a system connected to the internet? Or even on a computer. Regardless, such information already exists and it's likely online in many communities."
How else would you store them? Even if you store them on paper, how are you going to analyze the information for evidence of predators? It would be an exercise in futility to do it by hand. At some point its going to be digitized and once its digitized its open for theft on a grand scale. It's irrelevant that the info already exists, its not organized into one massive database. The cost and time involved of accessing the many databases would prevent nearly all predators from even trying. This is obvious when we look at other crimes such as identity theft or fraud.

You haven't. Society has. I figure since society has an already established baseline for these kinds of things, it would make sense to treat all businesses the same the same.

How else would you store them? Even if you store them on paper, how are you going to analyze the information for evidence of predators?

The background check isn't to identify predators. The tongue-in-cheek suggestion was that only people with personal SSL certificates could get a log in on myspace. In order to get the cert one would have to go through a background check that verifies that one is who one says one is. The only purpose of the background check is to verify identity. There is no need to store it or data mine it or do anything with it other than drop it into a shredder after it's been completed and the identity has been ascertained.

You're trying to solve a different problem than I am. My solution is to the problem that MySpace says they can't actually identify anyone on their site because they just assume you are who you say you are.

The whole idea that people are effectively anonymous on MySpace, YouTube, orkut, etc. is silly. There's no real need for the providers not to know the identities of the people using the sites. Because they don't know such identities a lot of policing that could be done to eliminate all kinds of sociopathic behavior can't be accomplished.

The whole idea that people are effectively anonymous on MySpace, YouTube, orkut, etc. is silly. There's no real need for the providers not to know the identities of the people using the sites. Because they don't know such identities a lot of policing that could be done to eliminate all kinds of sociopathic behavior can't be accomplished.

I hope you are not arguing that the internet should no longer be anonymous...the results of that would be much worse than what we have now. There is not a lot of sociopathic behavior on the sites you are talking about...none that can't be solved by better monitoring by parents.

There is no real reason for any of these companies to know the identity of the users. They generate revenue from advertisements. they get the same whether your name is joe or brooke.

The only purpose of the background check is to verify identity. There is no need to store it or data mine it or do anything with it other than drop it into a shredder after it's been completed and the identity has been ascertained.

The problem with this though is that you have just made your secure background checks equivalent to credit cards used for verification purposes only. They're given out only to people who have proven their identities...at least that's the way it's supposed to work. Once a credit card is given out then anyone can use it and no one will know that you aren't the person you say you are...especially if you don't store and mine the data. (e.g. what's stopping 10 registered sex offenders from signing up using the same clean certificate? or if you have the company run the background check itself, what's to stop the above 10 people from entering in the same information?)

I hope you are not arguing that the internet should no longer be anonymous...

I don't know. I can see the case for both anonymity and for non-anonymity. Our other telecommunications systems are not anonymous which is something to consider. I think that in general it should be possible to connect an IP address to the person who is responsible for the devices attached to that IP address.

There is no real reason for any of these companies to know the identity of the users. They generate revenue from advertisements. they get the same whether your name is joe or brooke.

As a person who browses the sites, of course it doesn't matter your identity. As someone who is setting up a page on MySpace that is libeling someone, their identity should certainly be available with the proper warrants, subpoena or other court order. Someone uploading gigs of zero day movies to youtube should be able to be identified as well. Someone posting pictures of you at every location you've visited for the last six weeks.

The problem with this though is that you have just made your secure background checks equivalent to credit cards used for verification purposes only.

It's not a serious suggestion. Just an example of a way that MySpace could improve their efforts at making sure people are who they claim to be. Rather than just disclaiming all responsibility.